Wednesday, June 19, 2024

You, Too, Can Rent the Mirai Botnet

Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone’s behest.

For our readers unfamiliar with Mirai, this is a malware family that targets embedded systems and Internet of Things (IoT) devices and has been used in the past two months to launch the largest DDoS attacks known to date.

Previous high-profile victims included French Internet service provider OVH (1.1 Tbps), managed DNS service provider Dyn (size unknown), and the personal blog of investigative journalist Brian Krebs (620 Gbps), who at the time, had just recently uncovered an Israeli DDoS-for-Hire service called vDos.

400K botnet spawned from original Mirai source code

After the OVH and Krebs DDoS attacks, the creator of this malware open-sourced Mirai, so other crooks could deploy their own botnets and cover some of the malware creator’s tracks.

According to a Flashpoint report, this is exactly what happened, with multiple Mirai botnets popping up all over the web, as small-time crooks tried to set up their personal DDoS cannons.

Two security researchers that go online only by their nicknames, 2sec4u and MalwareTech, have been tracking some of these Mirai-based botnets via the @MiraiAttacks Twitter account and the MalwareTech Botnet Tracker.

The two say that most of the Mirai botnets they follow are relatively small in size, but there is one much much bigger than most.

“You can see when they [massive botnet operators] launch DDoS attacks because the graph on my tracker drops by more than half,” MalwareTech told Bleeping Computer. “They have more bots than all the other Mirai botnets put together.”

400K Mirai botnet available for renting

In a spam campaign carried out via XMPP/Jabber started yesterday, two hackers have begun advertising their own DDoS-for-hire service, built on the Mirai malware.

The two claim to be in the control of a Mirai botnet of 400,000 devices, albeit we couldn’t 100% verify it’s the same botnet observed by 2sec4u and MalwareTech (more on this later).

A redacted version of the spam message is available below, along with the ad’s text.


Botnet developed by reputable hackers

The two hackers behind this botnet are BestBuy and Popopret, the same two guys behind the GovRAT malware that was used to breach and steal data from countless of US companies. More details about their previous endeavors are available in an InfoArmor report relesed this autumn.

The two are also part of a core group of hackers that were active on the infamous Hell hacking forum, considered at one point the main meeting place for many elite hackers, so it’s safe to say these are not your regular script kiddies.

Bleeping Computer reached out to both hackers via Jabber. Both Popopret and BestBuy had the time for a conversation but declined to answer some of our questions, not to expose sensitive information about their operation and their identities.

Botnet isn’t cheap

According to the botnet’s ad and what Popopret told us, customers can rent their desired quantity of Mirai bots, but for a minimum period of two weeks.

“Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount),” Popopret told Bleeping Computer.

Customers don’t get discounts if they buy larger quantities of bots, but they do get a discount if they use longer DDoS cooldown periods.

“DDoS cooldown” is a term that refers to the time between consecutive DDoS attacks. DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.

Popopret provided an example: “price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks.” As you can see, this is no cheap service.

Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet’s backend, where he can connect via Telnet and launch his attacks.

400K botnet has evolved, added new features

Compared to the original Mirai source code that was leaked online at the start of October, the botnet Popopret and BestBuy are advertising has undergone a serious facelift.

The original Mirai botnet was limited to only 200,000 bots. As security researcher 2sec4u told Bleeping Computer, this was because the Mirai malware only came with support for launching brute-force attacks via Telnet, and with a hardcoded list of 60 username & password combinations.

The 200K limit is because there are about only 200,000 Internet-connected devices that have open Telnet ports and use one of the 60 username & password combinations.

Popopret and BestBuy expanded the Mirai source by adding the option to carry out brute-force attacks via SSH, but also added support for the malware to exploit a zero-day vulnerability in an unnamed device.

2sec4u says he suspected new Mirai malware variants might use exploits and zero-days, but this is currently unconfirmed since nobody reverse-engineered recent versions of the Mirai malware binary to confirm Popopret’s statements.

Also Read :


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles